-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yml
190 lines (170 loc) · 5.67 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- AWS::Serverless-2016-10-31
Description: >-
A fully serverless and cost efficient data platform framework allowing you
to ingest JSON data at full speed to AWS Athena.
Parameters:
EnableEncryption:
Description: >-
Configure resources to use a KMS Key to encrypt all log, S3 and at-rest
SQS data throughout the data platform. You can either use your own key or
let these Cloudformation templates create one for you. Not free-tier
compliant: Key creation cost $1/month with further usage cost. Leave
empty if you don't know what you're doing.
AllowedValues:
- "True"
- "False"
Default: "False"
Type: String
KmsKeyArn:
Description: >-
(Optional) If EnableEncryption is set to "True", the ARN of your external
customer master key that will be used to encrypt the data plaform data.
Set to "NONE" to create a new data platform specific KMS Key.
AllowedPattern:
"^(NONE|arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\\d\
{1}:\\d{12}:key/[0-9a-fA-F]{8}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9\
a-fA-F]{4}\\-[0-9a-fA-F]{12})$"
Default: "NONE"
Type: String
EnableApiAuthorization:
Description: >-
Create an authorization layer that the ApiGateway ingress API activates
for all deployed methods. You can either use your own external CUSTOM
REQUEST Lambda authorizer, your own Cognito UserPool, or let these
Cloudformation templates create a new Cognito UserPool for you.
/!\ If set to "False", all ingress API methods, including PutObject
integrations, will be exposed without Authorization to Internet traffic.
AllowedValues:
- "True"
- "False"
Default: "False"
Type: String
ApiAuthorizerArn:
Description: >-
(Optional) If EnableApiAuthorization is set to "True", the ARN of your
external Api Authorizer. This can either be a Lambda ARN which will be
used as a CUSTOM REQUEST Authorizer, or a Cognito UserPool ARN.
Set to "NONE" to create a new data platform specific Cognito UserPool.
AllowedPattern:
"^(NONE|arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\
\\d{1}:\\d{12}:function:[a-zA-Z0-9-_]+|arn:(aws[a-zA-Z-]*)?:cognito-idp\
:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\\d{1}:\\d{12}:userpool/[a-zA-Z0-9\
-_]+)$"
Default: "NONE"
Type: String
Conditions:
ShouldDeployCognitoUserPool:
Fn::And:
- Fn::Equals:
- "True"
- !Ref EnableApiAuthorization
- Fn::Equals:
- "NONE"
- !Ref ApiAuthorizerArn
ShouldDeployDataPlatformKmsKey:
Fn::And:
- Fn::Equals:
- "True"
- !Ref EnableEncryption
- Fn::Equals:
- "NONE"
- !Ref KmsKeyArn
ShouldEnableApiAuthorization:
Fn::Equals:
- "True"
- !Ref EnableApiAuthorization
ShouldEnableEncryption:
Fn::Equals:
- "True"
- !Ref EnableEncryption
Resources:
EncryptionKey:
Type: AWS::Serverless::Application
Condition: ShouldDeployDataPlatformKmsKey
Properties:
Location: ./010-encryption-key/template.yml
LambdaDependencies:
Type: AWS::Serverless::Application
Metadata:
NestedPackageBucketName: >-
aws-sam-cli-managed-default-samclisourcebucket-1u017r05ihmw0
Properties:
Location: ./100-lambda-dependencies/packaged.yml
LoggingBucket:
Type: AWS::Serverless::Application
Properties:
Location: ./110-logging-bucket/template.yml
Parameters:
KmsKeyArn:
Fn::If:
- ShouldEnableEncryption
- Fn::If:
- ShouldDeployDataPlatformKmsKey
- !GetAtt EncryptionKey.Outputs.DataPlatformKeyArn
- !Ref KmsKeyArn
- NONE
LakeBuckets:
Type: AWS::Serverless::Application
DependsOn:
- LoggingBucket
Properties:
Location: ./200-lake-buckets/template.yml
Parameters:
KmsKeyArn:
Fn::If:
- ShouldEnableEncryption
- Fn::If:
- ShouldDeployDataPlatformKmsKey
- !GetAtt EncryptionKey.Outputs.DataPlatformKeyArn
- !Ref KmsKeyArn
- NONE
LakeFunctions:
Type: AWS::Serverless::Application
DependsOn:
- LakeBuckets
- LambdaDependencies
Metadata:
NestedPackageBucketName: >-
aws-sam-cli-managed-default-samclisourcebucket-1u017r05ihmw0
Properties:
Location: ./210-lake-functions/packaged.yml
Parameters:
KmsKeyArn:
Fn::If:
- ShouldEnableEncryption
- Fn::If:
- ShouldDeployDataPlatformKmsKey
- !GetAtt EncryptionKey.Outputs.DataPlatformKeyArn
- !Ref KmsKeyArn
- NONE
UserPool:
Type: AWS::Serverless::Application
Condition: ShouldDeployCognitoUserPool
Properties:
Location: ./300-user-pool/template.yml
Ingress:
Type: AWS::Serverless::Application
DependsOn:
- LakeBuckets
Properties:
Location: ./310-ingress/template.yml
Parameters:
EnableApiIntegrationLogs: "False"
KmsKeyArn:
Fn::If:
- ShouldEnableEncryption
- Fn::If:
- ShouldDeployDataPlatformKmsKey
- !GetAtt EncryptionKey.Outputs.DataPlatformKeyArn
- !Ref KmsKeyArn
- NONE
ApiAuthorizerArn:
Fn::If:
- ShouldEnableApiAuthorization
- Fn::If:
- ShouldDeployCognitoUserPool
- !GetAtt UserPool.Outputs.UserPoolArn
- !Ref ApiAuthorizerArn
- NONE